CVE-2022-29173

Name of the Vulnerable Software and Affected Versions go-tuf versions prior to 0.3.0

Description The issue concerns the client workflow for updating metadata files for roles other than the root role in go-tuf, a Go implementation of The Update Framework (TUF). Specifically, checks for rollback attacks are not implemented correctly, allowing an attacker to cause clients to install software that is older than the software the client previously knew to be available, potentially including software with known vulnerabilities. The client code has several issues: it does not consider previously trusted metadata before updating roles other than the root role, and it saves timestamp and snapshot metadata files as trusted before verifying their version correctness.

Recommendations For versions prior to 0.3.0, upgrade to version 0.3.0 or newer to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable client workflow until a patch is available. No other workarounds are known apart from upgrading.